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DETAILED ACTION 
Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

2. Claims 1-4, 1 1-12, 15-16, 20-22, 25-33, 36-43, 46-54 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over BRP publications in view of Reshef et al(6,584, 569). 

3. As per claim 1, BRP publications teaches a method for protecting an application from 
executing an illegal or harmful operation request received from a distrusted environment, BRP 
teaches this, because BRP teaches that Appshield, protects the integrity of an e-commerce 
application by making it nearly impossible for hackers to use traditional security loopholes, 
either in the application code or web servers(see lines 27-29). Also, BRP publications teaches 
determining whether said operation request is illegal or harmful to an environment of said 
application according to security settings designated for the application path, and preventing an 
application from executing an illegal or harmful operation request, because Appshield rejects 
unexpected, illegal inputs, generating an error page for the user and notifying the 
management(see lines 30-33). BRP/Appshield teaches matching an operation request to the 
application path is a represented as a virtual directory of the application(see lines 22-26). BRP 
does not disclose designating an application path of an application as restricted. Reshef discloses 
designating an application path of an application as restricted (see col. 3, lines 60-67). It would 
have been obvious to one of ordinary skill in the art at the time of the invention to include the 
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application path of the application restricted with BRP publications, the motivation is that the 
detection phase searches for application path parameters in order to check for a vulnerability (see 
col. 3, lines 60-67). 

4. As per claim 2, BRP publications discloses wherein the illegal and harmful operation 
request causes damage, because Appshield is designed to protect applications from illegal 
operations(see lines 27-31). BRP publications teach that these illegal operations are performed 
by hackers(see lines 27-31). Also, BRP publications teach that hackers threaten the effectiveness 
of Internet transactions (see lines 1-5). BRP teaches that a hacker could fraudulently change the 
prices on a particular item online and purchase it at that price, he could tape into secret medical 
records; or access private passwords to log on to information on a site(see lines 6-11). The 
Examiner asserts that these are all illegal and harmful operations that cause damage. 

5. As per claim 3, BRP publications teaches wherein said illegal and harmful operation 
request is database manipulation, because BRP teaches that an hacker could access private 
passwords to log on to a particular site(see lines 7-9). 

6. As per claim 4, BRP publications teaches wherein said step of preventing includes the 
step of rejecting said illegal or harmful operation request, Appshield prevents illegal or harmful 
operation request, by rejecting them, because BRP publications teaches Appshield rejects 
unexpected, illegal inputs(see lines 30-32). 

7. As per claim 1 1, BRP publications does teaches the following limitations; however, 
Reshef discloses wherein said step of determining comprises the steps of: comparing said 
operation request against stored known vulnerability patterns to determine a match; and blocking 
said operation request if said match is found(see col. 4, lines 9-32, col. 8, lines 36-51). It would 
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be obvious to one of ordinary skill in the art at the time of the invention to include comparing the 
operation request against stored known vulnerability patterns and blocking, the motivation is that 
application level vulnerabilities have traditionally been discovered and reviewed by developers; 
who have to review the application line-by-line and understand the code to try to imagine or 
anticipate potential security loopholes(see col. 1, lines 62-67, col 2, lines 1-13 of Reshef). 
Developers lack the expertise and knowledge to evaluate security flaws, and applications are 
constantly changing. Therefore, Reshef discloses a scanner that detects security vulnerabilities 
in applications, and stores the vulnerabilities and updates(see col. 4, lines 9-32). 

8. As per claim 12, BRP publications does not teach the following limitations; however, 
Reshef discloses the step of: updating said stored vulnerability patterns with newly found 
vulnerability patterns(see col. 8, lines 36-46). It would be obvious to one of ordinary skill in the 
art at the time of the invention to include updating the stored vulnerability patterns with newly 
found vulnerability patterns of Reshef with BRP publications, the motivation is that application 
level vulnerabilities have traditionally been discovered and reviewed by developers; who have to 
review the application line-by-line and understand the code to try to imagine or anticipate 
potential security loopholes(see col. 1, lines 62-67, col. 2, lines 1-13 of Reshef). Developers lack 
the expertise and knowledge to evaluate security flaws, and applications are constantly changing. 
Therefore, Reshef discloses a scanner that detects security vulnerabilities in applications, and 
stores the vulnerabilities and updates(see col. 4, lines 9-32 Reshef). 

9. As per claim 15, BRP publications does not teach the following limitations; however, 
Reshef discloses dividing said operation request into four zones(see col. 8, lines 1-7); comparing 
each of said four zones against stored known vulnerability patterns to determine a match; and 
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blocking said operation request if said match is found(see col. 6, lines 1-12, col. 9, lines 32-53). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to 
include the four zones of Reshef with BRP publications; the motivation is that these four zones 
of Reshef are used to detect hacking of applications (see col. 3, lines 60-67, col. 4, lines 1-8, col. 
7, lines 51-67). 

10. As per claim 16, BRP publications does not teach the following limitations; however, 
Reshef discloses wherein said four zones represent a URI, query string, header, and body 
associated with said operation request(see col. 6, lines 1-12, col 8, lines 1-7, col. 9, lines 32-53). 
It would have been obvious to one of ordinary skill in the art at the time of the invention to 
include the four zones of Reshef with BRP publications, the motivation is that these four zones 
of Reshef are used to detect hacking of applications (see col. 3, lines 60-67, col. 4, lines 1-8, col. 
7, lines 51-67). 

11. As per claim 20, BRP publications does not teach designating an application path of the 
application restricted; determining a destination of the operation request; and blocking the 
operation request if the destination is equal to designated path, Reshef discloses designating an 
application path of the application restricted; determining a destination of the operation request; 
and blocking the operation request if the destination is equal to designated path(see col. 8, lines 
61-67, col. 9, lines 1-3, 3 1-53). It would have been obvious to one of ordinary skill in the art at 
the time of the invention to include the application path of the application restricted with BRP 
publications, the motivation is that the detection phase searches for application path parameters 
in order to check for a vulnerability (see col. 3, lines 60-67). 
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12. As per claim 21, BRP publications does not teach the following limitations; however, 
Reshef discloses compiling a list of acceptable operation requests; and comparing said operation 
request to said list of acceptable operation requests(see col. 4, lines 15-19, col. 8, lines 36-51). It 
would have been obvious to one of ordinary skill in the art at the time of the invention to include 
a compiling list of acceptable operations request from Reshef with BRP publications, the 
motivation is that the scanner of Reshef includes predefined rules which are used to create http 
requests based on vulnerabilities with platforms that can be employed at the web application (see 
col. 4, lines 8-19 of Reshef). 

13. As per claim 22, BRP publications is silent on the following limitations; however, Reshef 
discloses determining a parameter value contained within said operation request(see col. 3, lines 
44-54); and applying a pre-defined rule to said parameter based on said parameter type, wherein 
said pre-defined rule defines one or more acceptable parameter values(see col. 3, lines 60-67, 
col. 4, lines 1-19). It would have been obvious to one of ordinary skill in the art at the time of 
the invention to include determining a parameter value contained within the operation request of 
Reshef with BRP publications, the motivation is that the scanner can dynamically traverse the 
web application to examine the attributes of the path and data parameters for hackers modifying 
input fields(see col. 3, lines 44-66). 

14. As per claim 25, BRP publications does not teach the following limitations; however, 
Reshef discloses storing said plurality of operation requests into a virtual directory(see col. 8, 
lines 13-20); building a dynamic range of entered values for each parameter in said plurality of 
operation requests(see col. 8, lines 61-67, col. 9, lines 1-3, col. 10, lines 1-20); computing an 
acceptable range of values for each parameter based on a statistical model applied to said 
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dynamic range of entered values for each value(see col. 10, lines 1-35, 56-60); receiving a 
subsequent operation request; identifying parameter values in said subsequent operation request; 
and determining if said parameter values in said subsequent operation request are within said 
acceptable range of values(see col. 8, lines 61-67, col. 9, lines 1-3). It would have been obvious 
to one of ordinary skill in the art at the time of the invention, to include adding parameter values 
in subsequent operation request to dynamic range, the motivation is that the mutated requests can 
be initiated during the attack stage to evaluate the real threat that the potential vulnerabilities 
pose(see col. 10, lines 40-48 of Reshef et al). 

1 5. As per claim 26, BRP publications does not teach including the steps of: adding said 
parameter values in subsequent operation request to dynamic range; adjusting said acceptable 
range of values for each parameter by applying said statistical model. However, Reshef et al. 
discloses adding said parameter values in subsequent operation request to dynamic range; 
adjusting said acceptable range of values for each parameter by applying said statistical 
model(see col. 9, lines 60-67, col. 10, lines 1-48). It would have been obvious to one of ordinary 
skill in the art at the time of the invention, to include adding parameter values in subsequent 
operation request to dynamic range, the motivation is that the mutated requests can be initiated 
during the attack stage to evaluate the real threat that the potential vulnerabilities pose(see col. 
10, lines 40-48 of Reshef et al.). 

16. As per claim 27, BRP publications does not teach the following limitations below; 
however, Reshef et al. discloses receiving one or more operation requests; formatting each 
operation request into a formatted message according to designated protocol, wherein the 
designation communication protocol is determined by the type of application being requested; 
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indexing the one or more formatted messages(see col. 3, lines 44-58); translating the formatted 
messages into internal messages according to an encoding scheme, resolving a destination node 
for each operation request; storing a copy of the indexed one or more formatted messages(see 
col 3, lines 60-67, col. 4, lines 1-8); applying one or more pipes to each operation request, 
wherein the number and types of pipes applied to each operation request are based on said 
resolved destination node of each operation request(see col. 4, lines 1-30). It would have been 
obvious to one of ordinary skill in the art at the time of the invention to combine BRP with 
Reshef, both teaches protecting an application from hackers, the motivation to protect application 
from hackers is that a hacker can alter a parameter in an http request, and freeze the application 
(see col. 4, lines 1-8). Also, Newly added limitations have already been addressed(see claim 1). 

17. As per claim 28, BRP publications teaches wherein the designated communications 
protocol is http(see lines 22-31). 

18. As per claim 29, BRP publications inherently teaches wherein said encoding scheme is 
ASCII, because BRP publications teaches http application protocol(see lines 22-31), http uses 
ASCII. 

19. As per claim 30, it is rejected under the same basis as claim 9. Further, the application of 
the pipe of Reshef is the scanner(see col. 44-53). 

20. As per claim 3 1 , it is rejected under the same basis as claim 10. 

21 . As per claim 32, it is rejected under the same basis as claim 1 1 . 

22. As per claim 33, it is rejected under the same basis as claim 12. 

23. As per claim 48, BRP publications teaches a system for implement an application layer 
security layer between a trusted application and a distrusted computer environments including 
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means for receiving an operation request for the application (see lines 16-19); means for 
embedding the operation request into a data format used by the trusted application (see lines 30- 
33), and means for checking a contents of the operation requests to identify if the operation 
request is illegal or harmful to an environment of the application(see lines 27-29). BRP 
publications does not disclose illegal or harmful to an environment of the application that 
consists of uniform resource identifier. However, Reshef et al. discloses wherein the illegal or 
harmful request consists of uniform resource identifier (see col 6, lines 1-12, 49-56). It would 
have been obvious to one of ordinary skill in the art at the time of the invention to include the 
uniform resource identifier, the motivation is that online theft is one vulnerability that a hacker 
can change the purchase price by changing the value of the parameter in the http request, thus by 
checking a uniform resource identifier online theft can be prevented (see col. 7, lines 51-67). 

24. As per claim 49, BRP publications teaches wherein said data format is selected from 
HTTP(see lines 22-31). 

25. As per claim 50, BRP publications inherently discloses wherein said receiving means is a 
queued socket server, because BRP publications teaches that e-commerce applications are 
protected from hackers, e-commerce use socket server to protect data(see lines 22-29). 

26. As per claim 54, BRP publications teaches means for providing a firewall, is inherent in 
BRP, because BRP teaches that Appshield teaches a policy recognition engine(see lines 22-24). 
Also, BRP publications teaches that Appshield recognizes the intended application security 
policy by analyzing each outbound hypertext markup language page, and enforces compliance 
with the policy for each incoming application(see lines 22-26). 

27. As per claim 36, it is rejected under the same basis as claim 15. 
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28. As per claim 37, it is rejected under the same basis as claim 16. 

29. As per claim 38, it is rejected under the same basis as claim 17. 

30. As per claim 39, it is rejected under the same basis as claim 18. 

31. As per claim 40, it is rejected under the same basis as claim 19. 

32. As per claim 4 1 , it is rejected under the same basis as claim 20. 

33. As per claim 42, it is rejected under the same basis as claim 21 . 

34. As per claim 43, it is rejected under the same basis as claim 22. 

35. As per claim 46, it is rejected under the same basis as claim 25. 

36. As per claim 47, it is rejected under the same basis as claim 26. 

37. As per claim 51, limitations have already been addressed (see claim 27). 

38. As per claim 52, it is rejected under the same basis as claim 49. 

39. As per claim 53, it is rejected under the same basis as claim 29. 

40. As per claims 5-10, 17-19 are allowable, because prior art nor non-patent literature 
disclose or teach, modifying the illegal or harmful operation into a legal or harmless operation, 
because the prior art discloses that when an illegal or harmful operation is detected it is analyzed 
and logged, does not disclose modifying the operation to a legal request. 

41. As per claims 13-14, are allowable, because the prior art discloses that when an illegal or 
harmful operation is detected it is analyzed and logged, does not disclose modifying the 
operation to a legal request. Claims 34-35 are objected to, because base claims rejected. Claims 
are allowable because of computing a hash value for every consecutive specified number of 
character in the operation request, and comparing every has value to stored hash values. Prior art 
nor non-patent literature discloses computing hash values for a number of characters, the prior 
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art discloses looking for parameters and checking for tampering of the application, not 
computing a hash value for the characters. 

42. As per claims 23-24 are allowable. Claims 44-45 are allowable, because base claims 
rejected. Claims are allowable because of decrypting values in the cookie message header and 
modifying the operation request to reflect the decrypted values. Prior art fails to disclose these 
limitations. An example of prior art that does not disclose these is Reshef Reshef discloses 
cookie values are checked to see if they have been manipulated. Non-patent literature teaches 
cookie poisoning, which a hacker can take on another's identity online. However, prior art fails 
to disclose the limitations above. 

Response to Amendment 

43. The Applicant states that the reasons to combine BRP and Reshef are improper. 

44. In response to applicant's argument that there is no suggestion to combine the references, 
the examiner recognizes that obviousness can only be established by combining or modifying the 
teachings of the prior art to produce the claimed invention where there is some teaching, 
suggestion, or motivation to do so found either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 
USPQ2d 1596 (Fed. Cir. 1988)and/« re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). 
In this case, BRP does not disclose designating an application path of an application as restricted; 
however, Reshef discloses designating an application path of an application as restricted(see col. 
3, lines 60-67). It would have been obvious to one of ordinary skill in the art at the time of the 
invention to include the application path of the application restricted with BRP publications, the 
motivation is that the detection phase searches for application path parameters in order to check 
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for a vulnerability (see col. 3, lines 60-67). The Applicant states that Reshef et al. does not 
disclose designating an application of an application as restricted. The Examiner disagrees with 
the Applicant. Reshef discloses a detection phase, the detection phase searches through the 
application interface structure, and using a set of detection rules identifies application level 
messages that may be potentially vulnerable (see col. 3, lines 60-67). 

45. In response to applicant's arguments against the references individually, one cannot show 
nonobviousness by attacking references individually where the rejections are based on 
combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re 
Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed Cir. 1986). 

46. The Applicant states that Reshef s scanner only identifies vulnerabilities and does not 
prevent those vulnerabilities from being exploited by hackers. Appshield was used to reject the 
"preventing limitation", not Reshef. Appshield teaches preventing an application from executing 
an illegal or harmful operation request, because Appshield rejects unexpected, illegal inputs, 
generating an error page for the user and notifying the management(see lines 30-33). 

47. The Applicant states that BRP does not disclose a trusted environment. Claim 1, 
discloses a trusted environment; however, it is disclosed in the preamble. The preamble holds no 
patentable weight. Thus, argument is moot. 

48. The Applicant states that Reshef does not disclose designating an application path. The 
Examiner disagrees with the Applicant. Reshef discloses the scanner examines the application- 
level messages that flow between a web server hosting a web-based application and a client 
browser operating in an intended or authorized way(see col. 3, lines 44-49). This enables the 
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scanner to discover the structure or elements of the application's interface with external clients, 
particularly the path and data parameters employed in the interface(see col. 3, lines 44-59). 

49. The Applicant states that Appshield nor Reshef disclose matching an operation request to 
the application path, wherein the application path is a virtual directory or subdirectory of the 
application, according to security settings designated for the application path(see lines 22-26). 
The Examiner disagrees with the Applicant. Appshield teaches, recognizing the intended 
application security policy by analyzing each outbound hypertext markup language pages. Then 
it enforces compliance with the policy for each incoming hypertext transfer protocol 
application(HTTP) . 

Final Action 

50. THIS ACTION IS MADE FINAL, Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 



Application/Control Number: 09/809,030 
Art Unit: 2131 



Page 14 



Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jenise E. Jackson whose telephone number is (571) 272-3791. 
The examiner can normally be reached on M-Th (6:00 a.m. - 3:30 p.m.) alternate Friday's. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




